From owner-svn-src-stable@freebsd.org Mon Apr 17 09:42:07 2017 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67BE8D3F749; Mon, 17 Apr 2017 09:42:07 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 44F3815F7; Mon, 17 Apr 2017 09:42:07 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v3H9g6EK025578; Mon, 17 Apr 2017 09:42:06 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v3H9g5JQ025570; Mon, 17 Apr 2017 09:42:05 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201704170942.v3H9g5JQ025570@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 17 Apr 2017 09:42:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r317045 - in stable/11: sbin/ipfw sys/conf sys/modules sys/modules/ipfw_pmod sys/netpfil/ipfw/pmod X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2017 09:42:07 -0000 Author: ae Date: Mon Apr 17 09:42:05 2017 New Revision: 317045 URL: https://svnweb.freebsd.org/changeset/base/317045 Log: MFC r316435: Add ipfw_pmod kernel module. The module is designed for modification of a packets of any protocols. For now it implements only TCP MSS modification. It adds the external action handler for "tcp-setmss" action. A rule with tcp-setmss action does additional check for protocol and TCP flags. If SYN flag is present, it parses TCP options and modifies MSS option if its value is greater than configured value in the rule. Then it adjustes TCP checksum if needed. After handling the search continues with the next rule. Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D10150 Added: stable/11/sys/modules/ipfw_pmod/ - copied from r316435, head/sys/modules/ipfw_pmod/ stable/11/sys/netpfil/ipfw/pmod/ - copied from r316435, head/sys/netpfil/ipfw/pmod/ Modified: stable/11/sbin/ipfw/ipfw.8 stable/11/sbin/ipfw/ipfw2.c stable/11/sbin/ipfw/ipfw2.h stable/11/sys/conf/NOTES stable/11/sys/conf/files stable/11/sys/conf/options stable/11/sys/modules/Makefile Directory Properties: stable/11/ (props changed) Modified: stable/11/sbin/ipfw/ipfw.8 ============================================================================== --- stable/11/sbin/ipfw/ipfw.8 Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sbin/ipfw/ipfw.8 Mon Apr 17 09:42:05 2017 (r317045) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 15, 2017 +.Dd April 3, 2017 .Dt IPFW 8 .Os .Sh NAME @@ -1118,6 +1118,20 @@ It is also possible to use the keyword with setdscp. If the tablearg value is not within the 0..64 range, lower 6 bits of supplied value are used. +.It Cm tcp-setmss Ar mss +Set the Maximum Segment Size (MSS) in the TCP segment to value +.Ar mss . +The kernel module +.Cm ipfw_pmod +should be loaded or kernel should have +.Cm options IPFIREWALL_PMOD +to be able use this action. +This command does not change a packet if original MSS value is lower than +specified value. +Both TCP over IPv4 and over IPv6 are supported. +Regardless of matched a packet or not by the +.Cm tcp-setmss +rule, the search continues with the next rule. .It Cm reass Queue and reassemble IP fragments. If the packet is not fragmented, counters are updated and Modified: stable/11/sbin/ipfw/ipfw2.c ============================================================================== --- stable/11/sbin/ipfw/ipfw2.c Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sbin/ipfw/ipfw2.c Mon Apr 17 09:42:05 2017 (r317045) @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -238,6 +239,7 @@ static struct _s_x rule_eactions[] = { { "nat64lsn", TOK_NAT64LSN }, { "nat64stl", TOK_NAT64STL }, { "nptv6", TOK_NPTV6 }, + { "tcp-setmss", TOK_TCPSETMSS }, { NULL, 0 } /* terminator */ }; @@ -272,6 +274,7 @@ static struct _s_x rule_actions[] = { { "call", TOK_CALL }, { "return", TOK_RETURN }, { "eaction", TOK_EACTION }, + { "tcp-setmss", TOK_TCPSETMSS }, { NULL, 0 } /* terminator */ }; @@ -4007,6 +4010,26 @@ chkarg: fill_cmd(action, O_CALLRETURN, F_NOT, 0); break; + case TOK_TCPSETMSS: { + u_long mss; + uint16_t idx; + + idx = pack_object(tstate, "tcp-setmss", IPFW_TLV_EACTION); + if (idx == 0) + errx(EX_DATAERR, "pack_object failed"); + fill_cmd(action, O_EXTERNAL_ACTION, 0, idx); + NEED1("Missing MSS value"); + action = next_cmd(action, &ablen); + action->len = 1; + CHECK_ACTLEN; + mss = strtoul(*av, NULL, 10); + if (mss == 0 || mss > UINT16_MAX) + errx(EX_USAGE, "invalid MSS value %s", *av); + fill_cmd(action, O_EXTERNAL_DATA, 0, (uint16_t)mss); + av++; + break; + } + default: av--; if (match_token(rule_eactions, *av) == -1) Modified: stable/11/sbin/ipfw/ipfw2.h ============================================================================== --- stable/11/sbin/ipfw/ipfw2.h Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sbin/ipfw/ipfw2.h Mon Apr 17 09:42:05 2017 (r317045) @@ -284,6 +284,8 @@ enum tokens { TOK_INTPREFIX, TOK_EXTPREFIX, TOK_PREFIXLEN, + + TOK_TCPSETMSS, }; /* Modified: stable/11/sys/conf/NOTES ============================================================================== --- stable/11/sys/conf/NOTES Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sys/conf/NOTES Mon Apr 17 09:42:05 2017 (r317045) @@ -957,6 +957,9 @@ device lagg # # IPFIREWALL_NPTV6 adds support for in kernel NPTv6 in ipfw. # +# IPFIREWALL_PMOD adds support for protocols modification module. Currently +# it supports only TCP MSS modification. +# # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. Modified: stable/11/sys/conf/files ============================================================================== --- stable/11/sys/conf/files Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sys/conf/files Mon Apr 17 09:42:05 2017 (r317045) @@ -4006,6 +4006,8 @@ netpfil/ipfw/nptv6/ip_fw_nptv6.c optiona ipfirewall_nptv6 netpfil/ipfw/nptv6/nptv6.c optional inet inet6 ipfirewall \ ipfirewall_nptv6 +netpfil/ipfw/pmod/ip_fw_pmod.c optional inet ipfirewall_pmod +netpfil/ipfw/pmod/tcpmod.c optional inet ipfirewall_pmod netpfil/pf/if_pflog.c optional pflog pf inet netpfil/pf/if_pfsync.c optional pfsync pf inet netpfil/pf/pf.c optional pf inet Modified: stable/11/sys/conf/options ============================================================================== --- stable/11/sys/conf/options Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sys/conf/options Mon Apr 17 09:42:05 2017 (r317045) @@ -424,6 +424,7 @@ IPFIREWALL_NAT64_DIRECT_OUTPUT opt_ipfw. IPFIREWALL_NPTV6 opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h +IPFIREWALL_PMOD opt_ipfw.h IPSEC opt_ipsec.h IPSEC_DEBUG opt_ipsec.h IPSEC_SUPPORT opt_ipsec.h Modified: stable/11/sys/modules/Makefile ============================================================================== --- stable/11/sys/modules/Makefile Mon Apr 17 09:38:15 2017 (r317044) +++ stable/11/sys/modules/Makefile Mon Apr 17 09:42:05 2017 (r317045) @@ -176,6 +176,7 @@ SUBDIR= \ ipfw_nat \ ${_ipfw_nat64} \ ${_ipfw_nptv6} \ + ${_ipfw_pmod} \ ${_ipmi} \ ip6_mroute_mod \ ip_mroute_mod \ @@ -460,6 +461,7 @@ _toecore= toecore _if_enc= if_enc _if_gif= if_gif _if_gre= if_gre +_ipfw_pmod= ipfw_pmod .if ${MK_IPSEC_SUPPORT} != "no" _ipsec= ipsec _tcpmd5= tcp/tcpmd5